As both governmental and commercial organizations modernize information technology and solutions from more “traditional” architectures and environments, data accountability, authenticity, and relevance are becoming increasingly costly and technically difficult to achieve. Current capabilities are migrating and evolving into more distributed, scalable and dynamic platforms. For example, traditionally standalone, embedded systems such as the “Internet of Things” (IoT) environment are now including vast, interconnected, cloud-based, analytical and control systems that are leveraging dynamic and highly scalable data-driven architectures. While the capabilities and systems are adapting, and evolving, many of the tools to achieve effective and efficient data accountability, authenticity, and relevance are lacking, or simply do not exist for the platforms.
Furthermore, current identity and access-management solutions aim to provide the most robust and secure mechanisms in which to authenticate and authorize users. Because it is the industry-accepted mechanism, cryptographic authentication and authorization usually represents the strongest and most secure option for enterprises. Since most enterprises and regulated organizations leverage some form of cryptographic authentication and authorization, attackers have retargeted the surface to compromise. This is usually one that is not cryptographically sound or immutable. This shift usually moves to compromising the actual identity data associated with an account or user. Once attackers can access these accounts or users, they can elevate privileges, changes roles or groups, and manipulate the access needed to perform an attack. Because this data is not cryptographically immutable, the attacker can also erase most of the evidence and triggers that he or she was actually there. Once done with the attack, the attacker can revoke privileges, delete logs and thwart efforts to monitor data. Furthermore, the remediation or forensic proof of the events that led to an attack are computationally and financially expensive, and require dedicated teams and increasingly longer times to recompile the events of attacks. The decision then has to be made, from the computationally expensive efforts, to what the known good state of the identity accounts should now be without any cryptographic proof.
Even disregarding the issues related to malicious attacks, the ability to easily track the provenance of data, and to verify it, is useful or desirable in many areas. Supply chains are just one example, but issues related to verifiable document management turn up in many other areas as well.